Before you begin

Install Istio with mutual TLS authentication by following the instructions in the Installation guide.

Start httpbin demo with Istio sidecar. Also, for testing purpose, run two instances of sleep, one with sidecar and one without (in different namespace). Below are commands to help you start these services.

Disable mutual TLS authentication for “httpbin” service.

If we want to disable mTLS only for httpbin (on port 8000), without changing the mesh authentication settings, we can do that by adding this annotations to the httpbin service definition.

annotations:
auth.istio.io/8000: NONE

For a quick test, run kubectl edit svc httpbin and add the annotations above ( or you can edit the original httpbin.yaml file and re-apply it). After the change is applied, request from sleep.legacy should now success, as the result of mTLS was dropped.

Note:

The annotations can be used in the opposite direction, i.e enable mTLS for a service, simply by using annotation value MUTUAL_TLS, instead of NONE. People can use this option to enable mTLS on selected services instead of enable it for the whole mesh.

Annotations can also be used for a (server) service that does not have sidecar, to instruct Istio do not apply mTLS for the client when making a call to that service. In fact, if a system has some services that are not managed by Istio (i.e without sidecar), this is a recommended solution to fix communication problem with those services.

Disable mutual TLS authentication for control services.

As we cannot annotate control services, such as API server, in Istio 0.3, we introduced mtls_excluded_services to the mesh configuration to specify the list of services for which mTLS should not be used. If your application needs to communicate to any control service, it’s fully-qualified domain name should be listed there.

In the part of the demo, we will show the impact of this field.

By default (0.3 or later), this list contains kubernetes.default.svc.cluster.local (which is the name of the API server service in common setup). You can verify it by running this command: